Document 12953154

advertisement
A quick look into
today’s APTs
Bogdan BOTEZATU – Senior e-threat analyst, Bitdefender
bbotezatu@bitdefender.com
Twitter: @bbotezatu
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 2
Intro to Targeted Attacks
• Pick up an entity to breach
– the larger it is, the higher the chances to find out more
information
• Do your homework: what software / hardware are they using.
Do they use applications that are known to be vulnerable?
• Pick an employee as target. And by the way, picking a target
is as easy as this:
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 3
Targeted Attacks
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 4
If that doesn’t work, target their spouses
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 5
What makes cyber-criminals worth their while?
• Information is power, it brings in intellectual property and
allows attackers to PLAN COUNTER-INTELLIGENCE
DEFENSE (See the Aurora APT in 2008).
• To create international incidents on other countries’ expense
• Create PANIC: why smash a plane into a building, when you
can trigger panic by just disconnecting people from the power
grid?
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 6
This is just supposition, right?
• 1982 – Trans-Siberian gas pipe blown up via SCADA bug
• 2009 – 2010 – Uranium enrichment facility at Natanz taken
out of production via master compromise of SCADA
• 2007 – 2012 – Flamer subverts isolated networks and
exfiltrates data in a manner never seen before.
• 2007 - 2012 – Red October targets state infrastructures,
including Romanian agencies and plants
• 2012 – MiniDuke – Highly targeted attack to make sure
malware does not infect beyond scope or gets analyzed
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 7
On the bright side… There is no bright side. Period.
• Nuclear missiles can’t be
launched or controlled via
Internet by unauthorized people.
Command mechanisms reside
in ISOLATED networks.
• SCADA systems are also
isolated from the Internet. This
doesn’t mean that the attackers
did not manage to take
complete control over them.
What would happen if FLAMER
hit a war control room instead of
a power plant?
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 8
Today’s mantra
State agencies can’t
safeguard a nation’s
security if they can’t
protect THEMSELVES
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 9
Still, it’s not going to happen to us
• Please tick the things that apply to your organization:
 We run a computer network on the premises
 (Some of) these computers are operated by humans
 They store information / data that we’d like to keep
away from public or that we monetize one way or
another.
 They run an operating system that is not custommade for our organization
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 10
Test results
• The question is not if an attack is going to happen, it’s
more when you’re going to detect the attack that is
currently ongoing in your organization.
o Recent history shows that HIGH PROFILE attacks
have been going on for more than five years until
they were identified.
o Modern malware is not going to show any infection
symptoms. Unless they’re designed to blow up gas
pipes. Or sabotage your country’s nuclear
program.
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 11
Now ask yourselves…
…How am I contributing to my organization’s compromise by not
taking measures?
 Exposing your employment relationship with the organization
 I’m straying from security best practices at work.
 I’m straying from security best practices AT HOME
 I’m not reporting to IT phishing / malware attacks which I did
NOT fall for. Some other users might have fallen for that.
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 12
Mitigation
Tighten security everywhere:
 Firewall gateways and isolate exposed services.
 Run anti-malware / anti-spam solutions on mail servers
 Enforce policies – DON’T EXPECT THE USER to obey
them by themselves (no USB, no Wi-Fi – AT ALL)
 Don’t allow telecommuting or work from home –
Especially if you are a GOV’T agency.
 Monitor network activity in search of strange patterns.
The Twitter connections you see may be C&C traffic.
 Plan in advance: security is not an afterthought.
 Minimize exploitation time: patch early or uninstall
product.
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 13
Questions?
Copyright@bitdefender 2011 / www.bitdefender.com
5/30/2016 • 14
Download